How it works

Choose a target site to mock, preferably with a long URL (e.g. store.steampowered.com

Create subdomains on your site

com is a subdomain of ism.codes

steampowered is a subdomain of com.ism.codes

Navigate to that site on a mobile device, prefix the URL with www if you need to make it longer. If the overall URL is long enough, you will be able to see the part about store.steampowered.com but not ism.codes.

This is scarier than Tabnabbing in my opinion because with that, there was at least a way to passively detect (checking the URL bar) that the site was being imitated. With this, one would have to actively tap the URL bar to check the entire URL.

How can this be prevented?

Hmm. Manually checking the URL of every website that you enter credentials on would work, but that's a hassle. Chrome doesn't allow for mobile extensions to warn you about stuff like this.
In a case like this, showing the end of the URL host could work- showing ...com.ism.codes would let the user know that they are on my website, not the official Steam site.